ThreatStop service has two parts:

1- Updating the list of IPs that must be blocked and allowed (whitelist). The same list is used for inbound and outbound traffic. So the rules are applied to both source and destination of incoming packets but only to the destination of outgoing packets.

2- Upload the router logs (firewall logs for ThreatStop block rules) for analysis and graphical presentation

All the paths mentioned here are relative to /home/vyatta which is the home folder when you log in as user “vyatta”

Here we focus on item 1. The user-defined lists and TS internal feeds are used to update and sync the file /ts-vyatta/TS.new

This is done by running the script /ts-vyatta/ipsetget.pl manually or as a cron job.

This is done by a DNS query to a customized name server that syncs the TS.new with the lists selected on TS portal for each router.

The file TS.new is then used to update network-groups and address-groups that will be used later in firewall rules.

The address-group and network-group in Vyatta are a front to the Linux utility “ipset” and TS uses ipset in its scripts to build those address and network groups from the file TS.new

The address-group names are : TSallowaddr, TSblockaddr and network-groups are TSallownet and TSblocknet

The TS.new file is updated every two hour using the following cron job

—————————————————————————————-

vyatta@router0:~$ sudo crontab -l

# Update the ThreatSTOP lists. Every 2 hours, 12 minutes after the hour

# (00:12, 02:12, 04:12, etc.)

12     */2     *     *     *     /home/vyatta/ts-vyatta/ipsetget.pl

# Force a logrotate if the log is > 100k. Check every 17 minutes after the hour

17     *     *     *     *     perl -e’exec q(/usr/sbin/logrotate -f /etc/logrotate.d/messages) if (stat q(/var/log/messages))[7]>100000;’

————————————————————————————

We can also manually force and update by running the command

# sudo  ts-vyatta/ipsetget.pl

However when we add an IP to the user-defined list, it will take 15-20 minutes until it is pushed to the file TS.new

This can be verified by checking the file TS.new. For example if we want to check if the IP 199.x.x.x is in TS.new or not we can use the following command:

# cat ts-vyatta/TS.new | grep 199.x.x.x

Defining the network and address groups for white-listed and blocked IPs. These are later appended by the addresses and networks that are in /ts-vyatta/TS.new

set firewall group address-group TSallowaddr address ‘64.87.26.147’

set firewall group address-group TSblockaddr address ‘0.0.0.1’

set firewall group network-group TSallownet network ‘24.249.204.0/29’

set firewall group network-group TSblocknet network ‘169.254.0.0/16’

The address-groups  TSallowaddr  and TSblockaddr  and network groups TSallownet and TSblocknet are update using the file TS.new. Everytime the script ipsetget.pl is run this is done directly through command ipset from bash shell and the Vyatta shell is not being used.

 

rule for the firewall named “121” that is applied to inbound packets:

 

set firewall name 121 rule 70 destination group address-group ‘TSallowaddr’

set firewall name 121 rule 72 destination group network-group ‘TSallownet’

set firewall name 121 rule 74 source group address-group ‘TSallowaddr’

set firewall name 121 rule 76 source group network-group ‘TSallownet’

set firewall name 121 rule 78 source group address-group ‘TSblockaddr’

set firewall name 121 rule 80 source group network-group ‘TSblocknet’

set firewall name 121 rule 82 destination group address-group ‘TSblockaddr’

set firewall name 121 rule 84 destination group network-group ‘TSblocknet’
rule for the firewall named “TSrtoutrule” that is applied to outbound packets:

 

set firewall name TSrtoutrule rule 10 destination group address-group ‘TSallowaddr’

set firewall name TSrtoutrule rule 11 destination group network-group ‘TSallownet’

set firewall name TSrtoutrule rule 12 destination group address-group ‘TSblockaddr’

set firewall name TSrtoutrule rule 13 destination group network-group ‘TSblocknet’

 

 

To temporarily disable the firewall rules we can use the following commands:

 

set firewall name 121 rule 78 disable

set firewall name 121 rule 80 disable

set firewall name 121 rule 82 disable

set firewall name 121 rule 84 disable

 

set firewall name TSrtoutrule rule 10 disable

set firewall name TSrtoutrule rule 11 disable

set firewall name TSrtoutrule rule 12 disable

set firewall name TSrtoutrule rule 13 disable

 

We can also disable the allowing (whitelist) rules if necessary.

In order to reactivate the rules replace “set” we “delete”

 

delete firewall name 121 rule 78 disable

delete firewall name 121 rule 80 disable

delete firewall name 121 rule 82 disable

delete firewall name 121 rule 84 disable

 

delete firewall name TSrtoutrule rule 10 disable

delete firewall name TSrtoutrule rule 11 disable

delete firewall name TSrtoutrule rule 12 disable

delete firewall name TSrtoutrule rule 13 disable